Department of Homeland Security Daily Open Source Infrastructure Report

Monday, June 7, 2010

Complete DHS Daily Report for June 7, 2010

Daily Report

Top Stories

• According to The Associated Press, a cap was seated atop a blown-out Gulf of Mexico well, but the volcano of oil obscured it from view early Friday making it impossible to tell if BP’s latest attempt to curtail the nation’s worst oil spill was having any success. Robots 1 mile beneath the Gulf positioned the inverted funnel-like lid over the main pipe on the leaking well Thursday night. (See item 1)

1. June 4, Associated Press – (National) Cap placed atop gulf well; oil still spewing. A cap was seated atop a blown-out Gulf of Mexico well, but the volcano of oil obscured it from view early Friday making it impossible to tell if BP’s latest attempt to curtail the nation’s worst oil spill was having any success. Robots 1 mile beneath the Gulf positioned the inverted funnel-like lid over the main pipe on the leaking well Thursday night. Live video footage, though, showed that the oil seemed unimpeded. A BP spokesman said he had no immediate information on whether the cap was successfully attached. The placement was a positive step but not a solution, said a Coast Guard admiral. “Even if successful, this is only a temporary and partial fix and we must continue our aggressive response operations at the source, on the surface and along the Gulf’s precious coastline,” he said in a statement. Source: http://www.myfoxmemphis.com/dpps/news/gulf-oil-spill-cap-placed-atop-gulf-well-dpgapx-20100604-fc_7907114

• A Hempstead, Texas man was indicted Thursday for allegedly aiding Al Qaeda in the Arabian Peninsula, the Waller County News Citizen reported. A federal grand jury in U.S. District Court for the Southern District of Texas returned an indictment charging the suspect with attempting to provide material support to a designated terrorist organization and aggravated identity theft, a U.S. Attorney and FBI Houston Special Agent in Charge announced. (See item 32)

32. June 4, Waller County News Citizen – (National) Hempstead man indicted for aiding Al Qaeda. A Hempstead, Texas man was indicted Thursday for allegedly aiding Al Qaeda in the Arabian Peninsula. A federal grand jury in U.S. District Court for the Southern District of Texas returned an indictment charging the suspect with attempting to provide material support to a designated terrorist organization and aggravated identity theft, a U.S. Attorney and FBI Houston Special Agent in Charge announced. The indictment charges the 29-year-old suspect, a United States citizen and resident of Hempstead, with attempting to provide material support to Al Qaeda in the Arabian Peninsula (AQAP) in the form of personnel, currency, pre-paid telephone calling cards, mobile telephone SIM cards, global positioning system receivers, public access-restricted United States military publications — including one involving unmanned aerial vehicle operations and another involving the effects of United States military weapon systems in operations in Afghanistan, a military issue compass and other materials. The maximum statutory penalty for this offense is 15 years in prison. The second count of the two-count indictment charges the suspect with aggravated identity theft — alleging that in furtherance of the material support to a designated terrorist organization charge, he possessed and used a false government-issued identification card. The maximum statutory penalty for this offense is five years in prison, which must be served consecutive to any sentence imposed on other counts. Source: http://www.hcnonline.com/articles/2010/06/04/waller_county_news_citizen/news/alqaeda061010.txt

Details

Banking and Finance Sector

12. June 4, IDG News – (International) Visa launches one-time passcode cards in Europe. Visa has launched a payment card in Europe that contains a keypad and an eight-character display for showing a one-time passcode, an additional defense against potentially fraudulent Internet transactions. Visa’s CodeSure also acts as a chip-and-PIN (personal identification number) card, where people enter into a terminal a four-digit pin that is confirmed by a microchip within the card during a face-to-face or cash machine transaction. Online transactions, however, are more susceptible to fraud as they do not use the PIN, often relying only on the details printed on the card. A hacker who has obtained details such as the card’s number, expiration date and three-digit security code, may be able to make a purchase online. Visa and MasterCard have been pushing online merchants to implement the more stringent 3D Secure (3DS) system, also known as Verified by Visa or MasterCard SecureCode. The system requires a person to enter a password or portions of a password in a browser frame displayed during a transaction in order to complete an on-line purchase. But 3D Secure still uses a static password selected by a consumer and is vulnerable if someone mistakenly reveals their password through a phishing attack. The alphanumeric display and a keypad on Visa’s CodeSure card overcome that vulnerability. During an e-commerce transaction, the customer would press the “Verified by Visa” button on the card and enter their PIN. If the PIN is correct, the card will generate an electronic one-time passcode that can be entered into the Verified by Visa frame.This one-time passcode is only valid for a very short period of time. If it were to be intercepted by a hacker, it would have to be used quickly before it expired. Source: http://www.computerworld.com/s/article/9177663/Visa_launches_one_time_passcode_cards_in_Europe?taxonomyId=17


13. June 4, Krebs on Security – (International) ATM skimmers: Separating cruft from craft. ATM skimmers — or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data — are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap. The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Generally, these custom-made devices are not cheap, and there are not images of them plastered all over the Web. Krebs on Security found pictures obtained directly from an ATM skimmer maker in Russia. This custom-made skimmer kit is designed to fit on an NCR ATM model 5886, and it is sold on a few criminal forums for about 8,000 Euro. The second component is a PIN capture device that is essentially a dummy metal plate with a look-alike PIN entry pad designed to rest directly on top of the actual PIN pad, so that any keypresses will be both sent to the real ATM PIN pad and recorded by the fraudulent PIN pad overlay. Both the card skimmer and the PIN pad overlay device relay the data they have stolen via text message, and each has its own miniature GSM device that relays SMS messages (buyers of these kits are responsible for supplying their own SIM cards). According to the vendor of this skimmer set, the devices are powered by lithium ion batteries, and can run for 3-5 days on a charge, assuming the skimmers transmit on average about 200-300 SMS messages per day. This skimmer kit even includes an alarm feature so that if it is removed — either by the fraudster or a bank manager or passerby — the devices will immediately transmit any of their stored stolen data. Source: http://krebsonsecurity.com/2010/06/atm-skimmers-separating-cruft-from-craft/


For another story, see item 42 below in the Communications Sector


Information Technology


37. June 4, SC Magazine – (International) Kaspersky Lab summit: Phishing is evolving as hackers get better and people are more easily caught out. Targeted attacks are being better exploited by cyber criminals as tactics improve. Speaking at Kaspersky Lab’s Security Analyst Summit in Cyprus, a senior security researcher at Kaspersky Lab claimed that social engineering attacks are often successful, as the writers of phishing attacks are using online tactics to better their chances of success. Asked if language specific phishing e-mails were an issue, he claimed that these were a problem in the consumer market, but as typical “419” type attacks use online-translation services to be language specific, they are more likely to be opened. He said: “There is also geographical targeting which can extract the IP address for social engineering attacks. There was an example of an attack where a message said that a bomb had exploded near you and they use that to gain trust. They will also use information from social networking sites such as hobbies and interests to make better social engineering stories. We are seeing exploits on Twitter with trending topics and on Google with blackhat search engine optimisation where they are using Google Trends and keywords on their sites to get better rankings.” Source: http://www.scmagazineuk.com/kaspersky-lab-summit-phishing-is-evolving-as-hackers-get-better-and-people-are-more-easily-caught-out/article/171704/


38. June 3, ComputerWorld – (National) Microsoft plans gigantic Patch Tuesday next week. Microsoft Friday said it would deliver 10 security updates next week to patch a record-tying 34 vulnerabilities in Windows, Internet Explorer, Office and SharePoint. The patches will also quash two bugs that Microsoft acknowledged in February and April. “I’d actually call this a moderate month,” said the director of security operations at nCircle Security. “Looking at the criticality of the bulletins, and the fact that the number [of bulletins] is low, it doesn’t look like a huge month to me.” By the numbers, however, next week’s updates will be huge. Although the 10 updates fall short of the record of 13 — first set in October 2009, then repeated in February 2010 — Microsoft will fix a total of 34 vulnerabilities, the same number as the current record, also set last October. Microsoft has been shipping alternating large and small batches of fixes, with the larger-sized updates landing in even-numbered months. In May, for example, the company issued just two bulletins that patched two vulnerabilities. April’s collection, meanwhile, amounted to 11 bulletins that fixed 25 flaws. The monthly advance notification spelled out the patches expected to appear Tuesday. Source: http://www.computerworld.com/s/article/9177643/Microsoft_plans_gigantic_Patch_Tuesday_next_week?taxonomyId=17


39. June 3, ComputerWorld – (National) Facebook dev move won’t stop rogue apps, say researchers. Security researchers Friday said Facebook’s new requirement that developers link legitimate accounts to their software will not stop rogue applications from infecting its users with adware. Last Wednesday, Facebook announced that it will now demand that developers verify a Facebook account to create new apps on the service. “We’re taking this step to preserve the integrity of Facebook Platform, ensuring that every application is associated with a valid and real Facebook account,” an engineer and technical project manager on the platform engineering team said in an entry on the Facebook developer blog. Developers can establish they have a legitimate Facebook account by confirming their mobile phone number or adding a credit card to the account. Facebook requires the same confirmation for users who want to upload large video files. Source: http://www.computerworld.com/s/article/9177648/Facebook_dev_move_won_t_stop_rogue_apps_say_researchers


40. June 3, Congress Daily – (National) NSA leader urges cybersecurity protocols. The commander of the newly created U.S. Cyber Command said Friday the nation needs precise rules of engagement that would set the standards for a quick counterattack to a serious breach of U.S. military or civilian data networks. It also would be helpful if there were international rules on how nations can respond to cyber attacks, he said. The commander took over the new command, which is primarily responsible for protecting the military’s cyber networks, two weeks ago. He retains his duties as head of the National Security Agency, which conducts electronic surveillance of suspected adversaries and possible terrorists. During an appearance at the Center for Strategic and International Studies, he said his command is looking at current rules of engagement, how they conform to the laws and his responsibilities, and “how we can articulate those so the people know what to expect.” He said there probably need to be two sets of rules of engagement, one to cover peacetime situations and another for war. He said the issue is complicated by the possibility that an adversary may use a neutral country’s computers to launch the attack. In addition, there are differences between an attack on U.S. military systems and one against government or civilian networks. Source: http://www.nextgov.com/nextgov/ng_20100603_4464.php


41. June 1, Infoworld – (Unknown Geographic Scope) Your favorite malware authors: Now on Twitter. Who can keep up with the swarms of malware churned out by professional operations? The activities of smaller hacking groups such as the one operated by the TJX and Heartland hacker, or state-sponsored hacking operations such as the one believed to be responsible for the attacks on Google and other IT firms are even more difficult to monitor. The malware-authoring community is more clubby than stealthy, but it has typically operated just below the surface, communicating through members only listservs and Web sites that are not publicly accessible. But as an F-Secure points out, malware authors are increasingly willing — if not eager — to talk about what they are working on in a public forum. Witness the phenomenon of the tweeting Trojan author @DarkCoderSc, a French hacker who has been updating his couple dozen followers since April on the progress of DarkComet RT, a remote administration tool (RAT) application he is developing. (Note: “Remote administration tools” are also referred to as “Trojans” when they are used for things other than “administration.”) Source: http://www.infoworld.com/t/hacking/your-favorite-malware-authors-now-twitter-651


For another story, see item 42 below in the Communications Sector


Communications Sector

42. June 3, Wall Street Journal – (National) Dark side arises for phone apps. As smartphones and the applications that run on them take off, businesses and consumers are beginning to confront a budding dark side of the wireless Web. Online stores run by Apple Inc., Google Inc. and others now offer more than 250,000 applications such as games and financial tools. The apps have been a key selling point for devices like Apple’s iPhone. But concerns are growing among security researchers and government officials that efforts to keep out malicious software are not keeping up with the apps

craze. In one incident, Google pulled dozens of unauthorized mobile-banking apps from its Android Market in December. The apps, priced at $1.50, were made by a developer named “09Droid” and claimed to offer access to accounts at many of the world’s banks. Google said it pulled the apps because they violated its trademark policy. The apps were more useless than malicious, but could have been updated to capture customers’ banking credentials, said the chief executive of Lookout, a mobile security provider. “It is becoming easier for the bad guys to use the app stores,” he said. Source: http://online.wsj.com/article/SB10001424052748703340904575284532175834088.html